路由器和防火墙 pfSense 2.0 正式版发布
jopen 13年前
<p>pfSense 2.0 基于 FreeBSD 8.1,主要改进包括:增强的 IP 别名、面板和部件、SMTP 和 growl 警报、新的流量取样、7层协议过滤、NAT 引擎和配置的改进、证书管理器、V*N改进、虚拟无线 AP 支持等等。<br /> <img title="pfsense.png" border="0" alt="pfsense.png" src="https://simg.open-open.com/show/30d5038823b637e32bb769fe5e3f42ac.png" width="90" height="90" /><br /> <br /> pfSense是一个FreeBSD下的免费开源的防火墙和路由器软件。</p> <p>pfSense是源自于m0n0wall的操作系统。它使用的技术包括Packet Filter,FreeBSD 6.x(或DragonFly BSD,假如ALTQ和CARP完成了的话)的ALTQ(以出色地支持分组队列),集成的包管理系统(以为其环境扩展新的特性)。</p> <p><br /> <span style="font-weight:bold;">项目地址</span>:<a href="/misc/goto?guid=4958196548251107564" target="_blank">http://www.pfsense.com/</a></p> <p>详细内容如下:</p> <h3><span class="mw-headline">Operating System </span></h3> <ul> <li>Based on FreeBSD 8.1 release.</li> <li>i386 and amd64 variants for all install types (full install, nanobsd/embedded, etc.)</li> <li>USB memstick installer images available</li> </ul> <a id="Interfaces" name="Interfaces"></a> <h3><span class="mw-headline">Interfaces </span></h3> <ul> <li>GRE tunnels</li> <li>GIF tunnels</li> <li>3G support </li> <li>Dial up modem support</li> <li>Multi-Link PPP (MLPPP) for bonding PPP connections (ISP/upstream must also support MLPPP)</li> <li><a title="LAGG Interfaces" href="/misc/goto?guid=4958196549011915938">LAGG Interfaces</a> </li> <li>Interface groups </li> <li>IP Alias type Virtual IPs</li> <li>IP Alias VIPs can be stacked on CARP VIPs to go beyond the 255 VHID limit in deployments that need very large numbers of CARP VIPs.</li> <li>QinQ VLANs</li> <li>Can use Block Private Networks / Block Bogon Networks on any interface</li> <li>All interfaces are optional except WAN</li> <li>All interfaces can be renamed, even LAN/WAN</li> <li>Bridging enhancements - can now control all options of if_bridge, and assign bridge interfaces</li> </ul> <a id="Gateways.2FMulti-WAN" name="Gateways.2FMulti-WAN"></a> <h3><span class="mw-headline">Gateways/Multi-WAN </span></h3> <ul> <li>Gateways, including dynamic gateways, are specified under System > Routing</li> <li>Gateways can have custom monitor IPs</li> <li>Gateways can have a custom weight, allowing load balancing to have ratios between WANs of different speeds</li> <li>Gateways can have custom latency, loss, and downtime trigger levels.</li> <li>Gateway monitoring via icmp is now configurable.</li> <li>You can have multiple gateways per interface</li> <li>Multi-WAN is now handled via gateway groups</li> <li>Gateway groups can include multiple tiers with any number of gateways on each, for complex failover and load balancing scenarios.</li> </ul> <a id="General_Web_GUI" name="General_Web_GUI"></a> <h3><span class="mw-headline">General Web GUI </span></h3> <ul> <li>Set to HTTPS by default, HTTP redirects to HTTPS port</li> <li>Dashboard and widgets added</li> <li>System > Advanced screen split into multiple tabs, more options available. </li> <li>SMTP email alerts and growl alerts</li> <li>New default theme - pfsense_ng</li> <li>Some community-contributed themes added</li> <li>Contextual help available on every page in the web interface, linking to a webpage containing help and documentation specific to that page. </li> <li>Help menu for quick access to online resources (forum, wiki, paid support, etc.)</li> </ul> <a id="Aliases" name="Aliases"></a> <h3><span class="mw-headline">Aliases </span></h3> <ul> <li>Aliases may be nested (aliases in aliases)</li> <li>Alias autocomplete is no longer case sensitive</li> <li>IP Ranges in Aliases</li> <li>More Alias entries supported</li> <li>Bulk Alias importing</li> <li>URL Aliases</li> <li>URL Table Aliases - uses a pf persist table for large (40,000+) entry lists</li> </ul> <a id="Firewall" name="Firewall"></a> <h3><span class="mw-headline">Firewall </span></h3> <ul> <li>Traffic shaper rewritten - now handles any combination of multi-WAN and multi-LAN interfaces. New wizards added. </li> <li>Layer7 protocol filtering</li> <li><a title="Adding Rules With easyrule" href="/misc/goto?guid=4958196549744755023">EasyRule - add firewall rules from log view (and from console!)</a> </li> <li>Floating rules allow adding non-interface specific rules</li> <li>Dynamically sized state table based on amount of RAM in the system</li> <li>More Advanced firewall rule options</li> <li>FTP helper now in kernel</li> <li>TFTP proxy</li> <li>Schedule rules are handled in pf, so they can use all the rule options. </li> <li>State summary view, report shows states grouped by originating IP, destination IP, etc.</li> </ul> <a id="NAT" name="NAT"></a> <h3><span class="mw-headline">NAT </span></h3> <ul> <li>All of the NAT screens were updated with additional functionality</li> <li>Port forwards can now handle create/update associated firewall rules automatically, instead of just creating unrelated entries.</li> <li>Port forwards can optionally use "rdr pass" so no firewall rule is needed.</li> <li>Port forwards can be disabled</li> <li>Port forwards can be negated ("no rdr")</li> <li>Port forwards can have source and destination filters</li> <li>NAT reflection improvements, including NAT reflection for 1:1 NAT</li> <li>Per-entry NAT reflection overrides</li> <li>1:1 NAT rules can specify a source and destination address</li> <li>1:1 NAT page redesigned</li> <li>Outbound NAT can now translate to an address pool (Subnet of IPs or an alias of IPs) of multiple external addresses</li> <li>Outbound NAT rules can be specified by protocol</li> <li>Outbound NAT rules can use aliases</li> <li>Improved generation of outbound NAT rules when switching from automatic to manual.</li> </ul> <a id="IPsec" name="IPsec"></a> <h3><span class="mw-headline">IPsec </span></h3> <ul> <li>Multiple IPsec p2's per p1 (multiple subnets)</li> <li>IPsec xauth support</li> <li>IPsec transport mode added</li> <li>IPsec NAT-T</li> <li>Option to push settings such as IP, DNS, etc, to mobile IPsec clients (mod_cfg)</li> <li>Mobile IPsec works with iOS and Android (Certain versions, see <a title="Mobile IPsec on 2.0" href="/misc/goto?guid=4958196550481978411">Mobile IPsec on 2.0</a>)</li> <li>More Phase 1/2 options can be configured, including the cipher type/strength</li> <li>ipsec-tools version 0.8</li> </ul> <a id="User_Manager" name="User_Manager"></a> <h3><span class="mw-headline">User Manager </span></h3> <ul> <li>New user manager, centralizing the various user configuration screens previously available. </li> <li>Per-page user access permissions for administrative users</li> <li>Three built-in authentication types - local users, LDAP and RADIUS. </li> <li>Authentication diagnostics page</li> </ul> <a id="Certificate_Manager" name="Certificate_Manager"></a> <h3><span class="mw-headline">Certificate Manager </span></h3> <ul> <li>Certificate manager added, for handling of IPsec, web interface, user, and OpenV*N certificates. </li> <li>Handles creation/import of Certificate Authorities, Certificates, Certificate Revocation lists.</li> <li>Eliminates the need for using command line tools such as EasyRSA for managing certificates.</li> </ul> <a id="OpenV*N" name="OpenV*N"></a> <h3><span class="mw-headline">OpenV*N </span></h3> <ul> <li>OpenV*N wizard guides through making a CA/Cert and OpenV*N server, sets up firewall rules, and so on. Greatly simplifies the process of creating a remote access OpenV*N server.</li> <li>OpenV*N filtering - an OpenV*N rules tab is available, so OpenV*N interfaces don't have to be assigned to perform filtering. </li> <li>OpenV*N client export package - provides a bundled Windows installer with certificates, Viscosity export, and export of a zip file containing the user's certificate and configuration files. </li> <li>OpenV*N status page with connected client list -- can also kill client connections</li> <li>User authentication and certificate management</li> <li>RADIUS and LDAP authentication support</li> </ul> <a id="Captive_Portal" name="Captive_Portal"></a> <h3><span class="mw-headline">Captive Portal </span></h3> <ul> <li>Voucher support added</li> <li>Multi-interface capable</li> <li>Pass-through MAC bandwidth restrictions</li> <li>Custom logout page contents can be uploaded</li> <li>Allowed IP addresses bandwidth restrictions</li> <li>Allowed IP addresses supports IP subnets</li> <li>"Both" direction added to Allowed IP addresses</li> <li>Pass-through MAC Auto Entry - upon successful authentication, a pass-through MAC entry can be automatically added.</li> <li>Ability to configure calling station RADIUS attributes</li> </ul> <a id="Wireless" name="Wireless"></a> <h3><span class="mw-headline">Wireless </span></h3> <ul> <li>Virtual AP (VAP) support added</li> <li><a class="external text" title="https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en_US" href="https://docs.google.com/spreadsheet/ccc?key=0AojFUXcbH0ROdHgwYkFHbkRUdV9hVWljVWl5SXkxbFE&hl=en_US" rel="nofollow">more wireless cards supported with the FreeBSD 8.1 base</a> </li> </ul> <a id="Server_Load_Balancing" name="Server_Load_Balancing"></a> <h3><span class="mw-headline">Server Load Balancing </span></h3> <ul> <li>relayd and its more advanced capabilities replace slbd. </li> </ul> <a id="Other" name="Other"></a> <h3><span class="mw-headline">Other </span></h3> <ul> <li>L2TP V*N added</li> <li>DNS lookup page added</li> <li>PFTop and Top in GUI - realtime updates</li> <li>Config History now includes a diff feature</li> <li>Config History has download buttons for prior versions</li> <li>Config History has mouseover descriptions</li> <li>CLI filter log parser (/usr/local/bin/filterparser)</li> <li>Switched to PHP 5.2.x</li> <li>IGMP proxy added</li> <li>Multiple Dynamic DNS account support, including full multi-WAN support and multi-accounts on each interface. <ul> <li>DynDNS Account Types supported are: <ul> <li>DNS-O-Matic</li> <li>DynDNS (dynamic)</li> <li>DynDNS (static)</li> <li>DynDNS (custom)</li> <li>DHS</li> <li>DyNS</li> <li>easyDNS</li> <li>No-IP</li> <li>ODS.org</li> <li>ZoneEdit</li> <li>Loopia</li> <li>freeDNS</li> <li>DNSexit</li> <li>OpenDNS</li> <li>Namecheap.com</li> </ul> </li> </ul> </li> <li>More interface types (V*Ns, etc) available for packet capture</li> <li>DNS Forwarder is used by the firewall itself for DNS resolution (configurable) so the firewall benefits from faster resolution via multiple concurrent queries, sees all DNS overrides/DHCP registrations, etc.</li> <li>DHCP Server can now handle arbitrary numbered options, rather than only options present in the GUI.</li> <li>Automatic update now also works for NanoBSD as well as full installs</li> <li>More configuration sections can be synchronized via XMLRPC between CARP nodes.</li> </ul> <p><a href="/misc/goto?guid=4958196551965855427" target="_blank"></a></p>